Attackers are increasingly abusing Amazon Simple Email Service (SES) by using exposed AWS access keys to send large volumes of highly convincing phishing emails that bypass authentication checks and reputation-based blocks. Kaspersky links the surge to automated secret-scanning tools that harvest leaked IAM keys from public GitHub repos, .env files, Docker images, backups, and S3 buckets, enabling scalable phishing and BEC campaigns. #AmazonSES #TruffleHog
Keypoints
- Amazon SES is being abused to send phishing emails that pass SPF, DKIM, and DMARC checks and evade reputation-based blocking.
- Exposed AWS IAM access keys in public GitHub repos, .env files, Docker images, backups, and S3 buckets are the primary driver of the spike.
- Attackers use automated tools like TruffleHog to find secrets, validate permissions, and mass-distribute phishing via compromised SES keys.
- Observed campaigns include realistic templates, DocuSign-themed document-signing lures, fabricated email threads, and sophisticated BEC scams targeting finance teams.
- Mitigations include enforcing least-privilege IAM, enabling MFA, rotating keys regularly, applying IP-based restrictions and encryption, and reporting abuse to AWS Trust & Safety.